iOS Privacy: steal.password - Easily get the user's Apple ID password, just by asking


Do you want the user’s Apple ID password, to get access to their Apple account, or to try the same email/password combination on different web services? Just ask your users politely, they’ll probably just hand over their credentials, as they’re trained to do so 👌

Disclaimer

This is just a proof of concept, phishing attacks are illegal! Don’t use this in any of your apps. The goal of this blog post is to close the loophole that has been there for many years, and hasn’t been addressed yet. For moral reasons, I decided not to include the actual source code of the popup, however it was shockingly easy to replicate the system dialog.

Why does this work?

iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.

As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.

This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.

Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.

How can you protect yourself

  • Hit the home button, and see if the app quits:
    • If it closes the app, and with it the dialog, then this was a phishing attack
    • If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.
  • Don’t enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually
  • If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.

Initially I thought, faking those alerts requires the app developer to know your email. Turns out, some of those auth popups don’t include the email address, making it even easier for phishing apps to ask for the password.

Proposal

Modern web browsers already do an excellent job protecting users from phishing attacks. Phishing within mobile apps is a rather new concept, and therefore still pretty unexplored.

  • When asking for the Apple ID from the user, instead of asking for the password directly, ask them to open the settings app
  • Fix the root of the problem, users shouldn’t constantly be asked for their credentials. It doesn’t affect all users, but I myself had this issue for many months, until it randomly disappeared.
  • Dialogs from apps could contain the app icon on the top right of the dialog, to indicate an app is asking you, and not the system. This approach is used by push notifications also, this way, an app can’t just send push notifications as the iTunes app.

I’ve reported this as a radar, which you can dupe: rdar://34885659 👍

Sometimes iOS shows the following notification on the lock screen, which opens up the iCloud Settings screen, this is a much better approach than to ask for the password directly: 

Complexity

Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it’s literally the examples provided in the Apple docs, with a custom text.

I decided not to open source the actual popup code, however, note that it’s less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.

Q&A

Imagine if everybody read this before posting a comment on HackerNews/Reddit #oneCanDream :)

But, I have 2-factor enabled, I’m safe, right?

Good for you, everybody should use 2-step verification obviously, however many people don’t. At the same time, even if your Apple account is 2FA protected, many users still use the same username/password combination on most web services, meaning if hackers know your Apple ID password, chances are high, they’re gonna try the same combination on other common services.

Also, even with 2FA enabled accounts, what if the app asked you for your 2 step code? Most users would gladly request a 2FA-token and ask for it, and directly pipe it over to a remote server.

Apple would never accept such an app, right?

Apple is doing a great job protecting users from dangerous third party apps, that’s why the App Store is built and provided like it is, that’s why we code sign our application ( not really, but kind of).

However, it’s rather easy to run certain code only after the app is approved, those are not new ideas, but just to give you some ideas:

  • Use remote code (which is not allowed by itself, except for JavaScript), React Native or a custom JS bridge is your friend
  • Use the iTunes search API to compare the current version number with the App Store version number (example request), this way the app can automatically enable malicious code after it got approved.
  • Use a remote configuration tool to enable a feature only after an app is approved by Apple
  • Use a time-based trigger: just skip running certain code for the first week after submitting the binary, meaning the code will only run once the app is either approved or rejected.
  • Pull an Uber and don’t run certain code when the location is near Cupertino (it’s probably fixed by Apple by now)

The things above is public knowledge, most iOS developers are aware, and I strongly advise against using any of this, Apple will eventually catch you and block your account.

The point of this list is: While the review process provides a basic safety filter, organisations with bad intent will always find a way to somehow work around the limitations of a platform.

Phishing on mobile? Is that a thing now?

This area will become more and more relevant, with users being uninformed, and the mobile operating systems not yet clearly separating system UI and app UI. This is kind of related to detect.location, where apps would write their own, custom image picker to provide a better “experience”, but in reality, with that, they also get full access to your image library, and optionally also your camera (related to watch.user).

iOS should very clearly distinguish between system UI and app UI elements, so that ideally it’s even obvious for the average smartphone user that something seems off. This is a tricky problem to solve, and web browser are still tackling it, you still have websites that make popups look like macOS / iOS popups, so that many users think it’s a system message.

But, but, but, why is the . symbol within the “, is this all fake?

Nope, actually, that’s how the system dialog looks like, the . is within the “string notation, so I designed the phishing dialog to also include the same style.

Similar projects I’ve worked on 

I published more posts on how to access the camera, the user’s location data, their Mac screen and their iCloud password, check out krausefx.com/privacy for more.

Open on GitHub

Tags: ios, privacy, phishing, login, credentials   |   Edit on GitHub

iOS Privacy: detect.location - An easy way to access the user's iOS location data without actually having access


Update 2020-06-22 Apple has fixed this issue with iOS 14

Does your iOS app have access to the user’s image library? Do you want to know your user’s movements over the last several years, including what cities they’ve visited, which iPhones they’ve owned and how they travel? Do you want all of that data in less a second? Then this project is for you!

To see all the above with your data, download the DetectLocations app from the App Store.

What can you do with detect.location?

  • Get a history of the cities, countries, and other places a user has visited, as long as they took a picture there
  • Find the user’s place of work, by figuring out where they are from 9 to 5
  • Get a complete list of the user’s cameras and photography devices (which iPhones, Android phones, cameras) and how long they used each device
  • Use facial recognization to find out who the user hangs out with and who their partner is. Is the user single?
  • Understand the user’s background:
    • Did the user attend college? If so, which one?
    • Did the user recently move from the suburbs to the city?
    • Does the user spend a lot of time with their family?

What’s detect.location?

  • The native image picker built into iOS allows app developers to access the full image library, with all its metadata
  • With the raw PHAsset object, which represents a picture or video, you also get access to the image’s metadata. This includes the location and even the speed at which the user was traveling when the picture was taken.
  • In particular, an app can get the following data:
  • The exact location of each asset
  • The physical speed in which the picture/video was taken (how fast did the camera move)
  • The camera model
  • The exact date + time
  • Other exif image metadata
  • With this information, you can render a route of the user’s travels, into the past for as long as they’ve had a GPS-enabled camera (like an iPhone, other smartphone, or modern point-and-shoot)
  • You can access all of this metadata without analyzing the contents of the image at all

For more information about the proposal on how this could be fixed, how the code works and more, check out the GitHub link below.

Open on GitHub


Similar projects I’ve worked on 

I published more posts on how to access the camera, the user’s location data, their Mac screen and their iCloud password, check out krausefx.com/privacy for more.

Tags: ios, privacy, location, images, library   |   Edit on GitHub

How to get started contributing to open source projects

Submitting code to an open source project can be a very scary feeling. When I submitted my first pull request I was scared. Scared that I’m doing something wrong. Scared that my patch wasn’t useful. Scared that other developers would make fun of me. 

I slowly worked my way up, from submitting smaller contributions to random open source projects, to then publishing my first open source library TSMessages, to finally building and releasing fastlane, an open source project that is now being used by tens of thousands of companies.

I want to encourage more people to get started contributing to open source projects, this blog post will show you how important open source software is in today’s world, and how it can help you grow as an engineer.

Why developers and companies use open source software

👴 Project stays alive much longer

How often did you use a proprietary software solution, only to discover that the service is discontinued a few months after you’re fully ramped up?

Open source projects can be more robust in regards of maintenance, because there isn’t a single company that can decide to stop working on the project. Instead you have a group of maintainers that invest time and resources into a given software. Even if nobody has access to the code repository, developers can fork the project, and push it forward. This is something that I’ve done myself multiple times for dependencies we have in fastlane.

🔧 Independence: you can fix problems yourself

What happens if you use a commercial software and you run into a blocking issue with it? You’ll have to reach out to the support team, and hope they take your problem seriously and provide a fix for you. If the product was shut down, you’ll probably have no chance of getting any help at all.

With open source projects you are in full control over the software you run: You can dive into the source code, make changes and run those changes in your code base directly, without the original author’s approval. Even if a project is not being maintained any more, you can still not only use the open source software, but also fix issues and extend its feature sets.

🤝 Trust

What closed source binaries do you include in your mobile app? Each of them adds a risk for your app and your users, as it adds multiple attack surfaces. You cannot tell what the binary does, it could be malicious, it could collect data you don’t want to track, it could call home without you knowing, it might have bugs causing other areas of the app to be slowed down or even crash, a man-in-the-middle attack might modify the binary while you download it, or the download server gets hacked as it happened with XcodeGhost just last year. A closed source binary as part of your build phase might even go as far as uploading your app’s source code, secret keys and other data from your local machine. Some of these problems also apply to open source projects, however you do have more control over them. You can fork the project, audit the code, and then periodically merge it with the upstream repository after auditing the changes.

There are multiple approaches to fix man-in-the-middle attacks and future XcodeGhosts, like checking the code signing of the app and comparing the hashes, however you’ll never be able to tell what the binary does under the hood.

📖 Knowledge sharing

Open source code enables every person on the planet with access to a computer and internet to read your code and learn from it. This is extremely powerful and isn’t done in a lot of areas. For example when studying physics, you’ll soon notice how many papers and critical information are hidden behind paywalls or kept secret by the author.

Artsy is a great example: their apps are open source, so when someone asks one of the engineers how they do X, they can just link to the source code.

🛠 Open source build tools

Since I’m working on developer tooling most of the time, I’m thinking a lot about how essential they are for a team to be productive. If they don’t work, you can’t ship to your users. Being in control of your most important infrastructure pieces is crucial to making sure you’re not dependent on third parties when :poo: hits the fan.

No matter if you work on mobile apps or something else, very often there are services that promise to take all the heavy lifting for you by providing a proprietary, hosted software solution. This is great if you are starting out, however, by relying on this kind of solution you accumulate technical debt that you will have to fix in the future.

With your business critical infrastructure pieces (which includes build and deploy tools) you’ll want to have the knowledge of how they work, and ideally the opportunity to fix problems and customize the setup to fit your needs. If something doesn’t work you can dive into the code base, analyze the error, and fix the problem. This might not be as relevant for indie developers, but for bigger companies with dozens or hundred of engineers depending on the build and release process, it is important to be able to fix systems as soon as they break.

Why contribute to open source projects?

Using open source software is awesome, but why would you care about working on one? 

📈 Scale of impact

It’s hard to imagine the impact you can have on developers all around the world when working on open source projects. 

You can have this kind of impact, either by working on an existing open source project, or also by open sourcing some code you wrote. Who knows, it might be the next big thing :)

🤔 How did I get started with open source?

The first time I got into open source, is actually when I open sourced my first project called “TSMessages”. When I was showing my little app to Matthias at CocoaHeads in Vienna, he asked me if I can open source the custom notification bars I built. I didn’t know a lot about open source back then, but Matthias was kind enough to help me with the process.

At the time of release TSMessages had 2 classes and less than 400 lines of code. Within the next months more and more people started using it, resulting in a total of over a million downloads. Currently the project is actively being used by 13,000 apps.

Without me having to put in extra work, I didn’t only use TSMessages for all my personal apps, but helped 13,000 other companies to show better notifications in their apps.

Impact with fastlane

fastlane started as my Bachelor project, where I put the code on GitHub after completing the first tool deliver. One tool led to another, resulting in the fastlane umbrella tool, containing 17 standalone tools, 170 built-in actions, and 180 third party plugins. Today fastlane has saved over 9,000,000 developer hours and is used by tens of thousands of companies around the world.

I never expected the project to grow this big. It started by only solving the problems I had as an iOS developer. No matter how small you think a script or tool is, it will probably help other developers out there who face the same challenges. Only 9 months after releasing the first version, fastlane joined Twitter, and I helped build a team around fastlane. Today, fastlane is a 6 person team based in San Francisco and Boston and is moving faster than ever.

👩‍💻 Career & Jobs

2 years ago, I didn’t know a single person working at one of the big tech companies. All the tech giants were a closed bubble for me coming from Europe, I couldn’t ask someone how it is to work there, I didn’t have anyone to refer me, I didn’t know how the companies are structured. After moving to San Francisco, working for Twitter, and now Google I have a much better sense of how things work. 

If you’re in the same position I was 2 years ago, and you’re thinking about working at Google, Facebook, or similar, one of the best ways to get in touch with someone there is to contribute to one of the company’s open source projects.

Larger companies that own open source projects, not always have the necessary resources to maintain all aspects of them. The organizations are happy about external maintainers, and depending on the team behind it, you might receive an email sooner or later :) 

📃 Resume

Listing open source contributions in your CV is powerful. It shows engagement in the developer community, and that you’re potentially familiar with established tooling and frameworks in your field. Depending on your contribution, it demonstrates that you can navigate around in an existing code base, identify an issue, debug and fix problems, or extend the project’s feature set. The majority of engineers use open source software for their projects, however only a small percentage also contribute. It’s definitely a great plus point for every resume.

👍 To sum up

  • Learn new technology
  • Improve a project you use
  • Pimp your resume
  • Collaborate with people you would otherwise never work with
  • Your code could end up being used by millions of users (literally)
  • Internet points: the maintainers might tweet about your contributions
  • Many projects attribute their contributors on their website, or changelog - this has the nice side effect of boosting your personal search engine visibility also, especially if your name is common

How to get started with open source

Hopefully I got you interested in contributing to open source software, so the next question is, how do you best get started?

📢 Subscribe to a repo you’re interested in

By subscribing to notifications of an open source repo, you’ll get a good sense of what the community is like, what problems the contributors are facing, and where you can jump in to help. After a few weeks of being active, you’ll get a good sense of what the community is working on and how you can help.

🤠 Don’t be discouraged, try contributing, people will help you

It’s scary submitting your first pull request to a new project. Some projects might not be looking for new contributors, so it’s a good idea to subscribe to a project before starting to contribute, so you get a feel on what the community is like. 

With fastlane, we welcome all new contributors, mention every single one in the release notes by name, and after successfully getting multiple PRs merged and helping other people, we promote them to core contributors. 

🚌 Contribute to projects that are widely used, but have a low bus factor

There is a lot of open source software that’s being used by hundreds of thousands of projects, but only have a single maintainer. Often those projects are so foundational of everything in an ecosystem, that people forget it exists. This is your chance to go through the list of projects with the worst bus factor and jump in and help.

The “bus factor” is the minimum number of team members that have to suddenly disappear from a project before the project stalls due to lack of knowledgeable.

Source: Wikipedia

One example of where things went really wrong was the left-pad project, a tiny JavaScript library that was maintained by a single person, that broke thousands of projects.

👪 How to join the development team of open source projects

Becoming a core contributor of a project very much depends on the size of the project:

  • Hyper-scale open source projects (e.g. Swift, React Native): It’s going to be pretty difficult to stand out, as there are hundreds of active maintainers, and it’s hard to tell how actively the owners of the repo monitor the activity of contributors. Very often, those kinds of projects have mailing lists you can join.
  • Projects that are popular and the go-to solution in its field (e.g. devise, CocoaPods, fastlane): Those projects are a great opportunity to have extremely high impact on other developers, while still having a rather small core development team. 
  • Low bus factor projects (see bus factor list): It’s rather easy and informal to join the development team. It’s usually enough to ping the current maintainer and ask about the plans for the project, and how you can help.

For many developers, the most interesting category is the second one: You can have a lot of impact within a short amount of time, get visibility and you have the chance to join a welcoming community and it’s a great opportunity to learn from fellow developers.

🚀 Getting started

Sometimes it’s not so clear on how to get started, so here are some tips on what you can do in no specific order

  • Helping out with an open source project is usually rather informal, often it’s enough to submit a smaller pull request
  • Look at some older issues and pull requests, and see if you can help get them resolved
  • See if there is a Slack group, Gitter or email group you can join to see what the core team talks about
  • Read through the documentation and guides to see if there are parts that aren’t clear and need updating
  • Most projects at this size will have a CONTRIBUTING.md file that explains how to get started with contributing code, and helping users
  • There might be additional documentation on how the project is structured and where to get started
  • Many projects will have outdated documentation, it’s a great chance for you to get some “internet points” by improving those
  • Adding more tests to existing projects gives you great visibility on how the project works, while at the same time making the maintainers very happy. Unit tests are often self-contained, making it easy for you to add them.
  • Subscribe to the repo to see how the community members interact with each other, and get a sense of what problems the project is facing
  • Some projects have a “you-can-do-this”, “help-wanted” or “beginner-friendly” GitHub labels, that are usually simpler fixes with some instructions provided by the maintainers.
  • There might be monthly video calls to align the whole development team
  • Onboard the project from a new user’s perspective, and see if there are any rough edges you could improve
  • The core team might be active on social networks like Twitter, make use of them
  • If you have an idea on how you can improve the project, submit an issue first to get feedback from the core team before spending time on building it. This is especially important if it’s a new feature that will need to be maintained in the future. Don’t forget to look if an issue for this specific idea was already created.

The most important piece is to get out there and submit pull requests, the rest will happen automatically.

🎁 Wrapping up

Developers and companies become more and more aware of how important it is for their dependencies to be in open source, not only to see what’s happening under the hood, but also to be able to fix problems themselves or even run their own fork if needed. This is especially relevant for build and deployment tools, but also third party SDKs you ship with your app. 

It has never been easier to get started contributing to open source, all it takes is a computer with internet access. As an engineer, it’s a great move for your career to get involved in open source communities: You have great impact outside of your usual work scope and have the chance to work with people you’d never otherwise work with!

If you’re still unsure, and need help getting started with your first contribution, please send me a private message on Twitter (@KrauseFx), I’m more than happy to help wherever I can 👍


Shoutout to my friends who helped me with this blog post: @orta, @hemal, @schukin, @_caro_n, @acrooow, @sebmasterkde and @domysee.


Edit on GitHub

Analyzing your public GitHub contributions using Google Big Query

Do you like those GitHub graphs, but want to know even more about your open source behavior? GitHub has you covered with githubarchive.org. GitHubArchive offers dumps of all GitHub events of all users and open source projects. New ones are generated every single day, and are instantly accessible. They are very easy to use together with Google Big Query.

If you have a Google Cloud account & project, click this link to give it a try. Use the Run Query button and wait for about 30 seconds, and you’ll get a list of people that comment on any of the fastlane repos most often in the year of 2017 (see screenshot below):

To run this query for your own GitHub organization, just replace the “ fastlane/%” with your own GitHub org. You can also easily extend the query to show more columns (see the list of available events).

Running queries on your own profile

I was wondering of how my GitHub behavior changed over the last few years, now that fastlane is actively being used by tens of thousands of companies, it’s harder to keep the innovation you had in the beginning.

The last 3 years I published a total of

  • 16,000 comments
  • 5,550 Pull Requests
  • 907 releases

across a high number of different open source projects, mostly fastlane,  TSMessages,  danger and lots of other projects.

Below you can see the last 5 years of open source code contributions:

Over the last 3 years, on average I did the following every single week

  • Post 77 comments on GitHub Issues
  • Submit 28 Pull Requests(the first year of fastlane, I didn’t submit PRs on my own repos)
  • Posted 16 comments on GitHub Pull Requests
  • Published 5 fastlane releases

Wrapping up

You can extend those queries to show you more information that’s relevant to you. I initially wanted to use this to see which of our contributors are the most active, and make sure we promote them to be Core Contributors.

There has been quite some discussion around the GitHub graph (e.g. isaacs/github#627), as many engineers took it far too seriously and tried to have a long streak without any interruptions. GitHub reacted to the feedback and removed the streak count from all profiles, and added an option to show private contributions on the graphs.

Special thanks to @sebmasterkde for coming up with the initial queries.

Note: The data shown above is from May, as that’s when I wrote this blog post, but was kind of distracted with more important things (life and such) and finally found the time to publish this post.

/* GitHub query to get the number of comments, PR, releases, etc. for a given GH org */

WITH 
  ProjectData AS (SELECT * FROM `githubarchive.day.2017*` WHERE repo.name LIKE 'fastlane/%'),
  Actors AS (SELECT DISTINCT(actor.login) AS login FROM ProjectData)

SELECT * FROM (
  SELECT 
    actors.login,
    (SELECT COUNT(*) FROM ProjectData WHERE type = 'IssueCommentEvent' AND actor.login = actors.login) AS Comments,
    (SELECT COUNT(*) FROM ProjectData WHERE type = 'PullRequestEvent' AND actor.login = actors.login) AS PRs,
    (SELECT COUNT(*) FROM ProjectData WHERE type = 'PullRequestReviewCommentEvent' AND actor.login = actors.login) AS ReviewComments,
    (SELECT COUNT(*) FROM ProjectData WHERE type = 'ReleaseEvent' AND actor.login = actors.login) AS Releases,
    (SELECT COUNT(*) FROM ProjectData WHERE type = 'IssuesEvent' AND actor.login = actors.login) AS ClosedRenamedAndLabeledIssues
  FROM Actors as actors
)
WHERE PRs > 0 OR Comments > 0
ORDER BY PRs DESC, Comments DESC;

Tags: open source, github   |   Edit on GitHub